!47 [sync] PR-46: fix CVE-2021-34337
From: @openeuler-sync-bot Reviewed-by: @caodongxia Signed-off-by: @caodongxia
This commit is contained in:
openeuler-ci-bot
Gitee
commit
46cd6356ed
44
CVE-2021-34337.patch
Normal file
44
CVE-2021-34337.patch
Normal file
@ -0,0 +1,44 @@
|
|||||||
|
From e4a39488c4510fcad8851217f10e7337a196bb51 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Kunal Mehta <legoktm@debian.org>
|
||||||
|
Date: Tue, 8 Jun 2021 00:54:14 -0400
|
||||||
|
Subject: [PATCH] Check the REST API password in a way that is resistant to
|
||||||
|
timing attacks (CVE-2021-34337)
|
||||||
|
|
||||||
|
Using basic string equality is vulnerable to timing attacks as it will
|
||||||
|
short circuit at the first wrong character. Using hmac.compare_digest
|
||||||
|
avoids that issue and will take the same time, regardless of whether
|
||||||
|
the value is correct or not.
|
||||||
|
|
||||||
|
This is only exploitable if an attacker can talk directly to the
|
||||||
|
REST API, which by default is bound to localhost.
|
||||||
|
|
||||||
|
Fixes #911.
|
||||||
|
---
|
||||||
|
src/mailman/rest/wsgiapp.py | 4 +++-
|
||||||
|
1 files changed, 3 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/src/mailman/rest/wsgiapp.py b/src/mailman/rest/wsgiapp.py
|
||||||
|
index 14d9a4e03..ab5be448d 100644
|
||||||
|
--- a/src/mailman/rest/wsgiapp.py
|
||||||
|
+++ b/src/mailman/rest/wsgiapp.py
|
||||||
|
@@ -18,6 +18,7 @@
|
||||||
|
"""Basic WSGI Application object for REST server."""
|
||||||
|
|
||||||
|
import re
|
||||||
|
+import hmac
|
||||||
|
import logging
|
||||||
|
|
||||||
|
from base64 import b64decode
|
||||||
|
@@ -55,7 +56,8 @@ class Middleware:
|
||||||
|
credentials = b64decode(request.auth[6:]).decode('utf-8')
|
||||||
|
username, password = credentials.split(':', 1)
|
||||||
|
if (username == config.webservice.admin_user and
|
||||||
|
- password == config.webservice.admin_pass):
|
||||||
|
+ hmac.compare_digest(
|
||||||
|
+ password, config.webservice.admin_pass)):
|
||||||
|
authorized = True
|
||||||
|
if not authorized:
|
||||||
|
# Not authorized.
|
||||||
|
--
|
||||||
|
GitLab
|
||||||
|
|
||||||
@ -7,7 +7,7 @@
|
|||||||
|
|
||||||
Name: mailman
|
Name: mailman
|
||||||
Version: 3.3.2
|
Version: 3.3.2
|
||||||
Release: 4
|
Release: 5
|
||||||
Epoch: 3
|
Epoch: 3
|
||||||
Summary: The GNU mailing list manager
|
Summary: The GNU mailing list manager
|
||||||
License: GPLv3
|
License: GPLv3
|
||||||
@ -23,6 +23,7 @@ Patch11: mailman-subject-prefix.patch
|
|||||||
Patch14: mailman-use-either-importlib_resources-or-directly-importlib.patch
|
Patch14: mailman-use-either-importlib_resources-or-directly-importlib.patch
|
||||||
Patch15: fixbuilderror-1.patch
|
Patch15: fixbuilderror-1.patch
|
||||||
Patch16: fixbuilderror-2.patch
|
Patch16: fixbuilderror-2.patch
|
||||||
|
Patch17: CVE-2021-34337.patch
|
||||||
BuildArch: noarch
|
BuildArch: noarch
|
||||||
BuildRequires: glibc-langpack-en
|
BuildRequires: glibc-langpack-en
|
||||||
BuildRequires: python%{python3_pkgversion}-devel >= 3.5 python%{python3_pkgversion}-setuptools
|
BuildRequires: python%{python3_pkgversion}-devel >= 3.5 python%{python3_pkgversion}-setuptools
|
||||||
@ -204,6 +205,9 @@ done
|
|||||||
%{_datadir}/selinux/*/mailman3.pp
|
%{_datadir}/selinux/*/mailman3.pp
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Sun Oct 09 2022 liyuxiang <liyuxiang@ncti-gba.cn> - 3:3.3.2-5
|
||||||
|
- fix CVE-2021-34337
|
||||||
|
|
||||||
* Thu Jan 13 2022 liwu <liwu13@huawei.com> - 3.3.2-4
|
* Thu Jan 13 2022 liwu <liwu13@huawei.com> - 3.3.2-4
|
||||||
- fix build error
|
- fix build error
|
||||||
|
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user